[286+] Account protection suggestions

Posted 4 years, 2 months ago (Edited 2 years, 1 month ago) by AcneScars

What's your favorite feature?

232 Votes Two Step Authorization

47 Votes Login information log

15 Votes Captcha

81 Votes All

38 Votes None

View Results

Greetings, Toyhou.se!
Toyhou.se is one the very few websites I use that does NOT have any system to protect your account(s). So, today I am here to make my case on why I think Toyhou.se should add more of their resources to changing this.

Suggestion One: Two Step Authorization

Two Step Authorization is one, if not the most common way, websites protect user's accounts. There's many ways to enable Two Step Authorization that is accessible to most users. Adding two or more options so users can pick which Two Step Authorization they want is the best way to go about it. And the best thing about it is it's optional in a majority of cases. If users don't want it, they don't need to have it!

Here's some common Two Step Authorizations:

E-mail: The user gets a code via their e-mail inbox.
SMS: The user gets a code sent via their phone number messaging system.
Third-party App: The user needs a third-party app (typically on their phone) and the app generates the code.

Suggestion Two: Security Questions

Another way that is common is adding security questions. A user will be asked to add the security questions via their Settings page and then the prompt to fill in the answers will be triggered if suspicious activity is found and/or every new login. Personally, I don't suggest this, it's deemed very annoying on the user-end; however, it's one of the easier ways to implement account protection.

Suggestion Three: Login Information Page

Login information, or a list of your login data, is a page to show all of your login activity. Typically within a 30 or 60 day window.

This page can show information such as:

IP addresses / Estimated Location
Device Information
Login Date + Time
Etc, etc.

This information is used so that the user can determine if they notice an unauthorized login. The user can then decide to change their password/e-mail/etc. Sometimes the feature to disconnect a current connection is possible as well. (To boot off users you don't recognize, etc.) (Last sentence inspired by Xen's response.)

Suggestion Four: Captcha

Adding a Captcha at the login page can help prevent password guessers. Data leaks are common, and a lot of people reuse the same password for everything. So password guessing (whether with a machine or manually) is extremely common. Captcha should only be triggered after a few failed login attempts and shouldn't be added for every login attempt in general. (Unless you have a bot problem.)

Suggestion Five: Character Transfer/Deletion Delay

An optional cool-down feature would be neat as well. The user should be able to enable it for a single character or for all of their characters via a Settings page. "For that same reason, maybe have a cooldown option on trades/deletion of certain characters? So that when you have it enabled, the character, when transferred or deleted, will remain pending for a certain amount of time, e.g. seven days, leaving the owner with enough time to react in case the action was not performed by them." (Suggestion by Vuurstern)

Suggestion Six: Link/button Approval Via E-mail

Sometimes a website will send you an e-mail to approve/deny a login attempt. Typically via a generated authorized link. (Suggestion by lophiusdragon & nyan_cat)

Why do you need account protection?

Account protection is very important to protecting things you care about, such as:

Your creations: Artwork credit and/or protecting your ownership tab rights.
- Preventing users from removing your rightful credits.
The characters you're hosting onto your account. (Protecting their images, their bios, their credits, etc.)
- When someone gets into your account, they can delete or transfer the characters.
Your reputation as a user on the site.
- Your credibility you've formed by making sales/commissions, etc.
Etc, etc.

ANYONE CAN BE A VICTIM!

Well-known artists and creators are high-risk for having their accounts be compromised.
Users with plenty of characters or plenty of artwork are also at risk of being compromised. (Highly desired characters or CS)
Someone who was close with someone but it ended sourly could be seeking revenge.
Maybe impersonation of an inactive account.
Maybe it's to get around the invite-only system.
Etc, etc.

You can think of many reasons why someone would want to get the account of another user - any reason is enough.

millenialgrey

Log in information is actually super useful for admins as well as it’s users. I also like two-step authorization and use that on many sites because it sends to my email or my phone. Captcha is annoying and something I don’t personally like, and there’s bots that can get around that now, and human beings sure can, so I see it as a thing of the past in the near future.

However, in regards to personal experience with log in information, I’ve worked on a site with log in information saved for each log in by each user. This provides information to ban users, search via an IP for accounts, and also if there’s any dangerous or illegal activity going on (which is common on all sites that allow anyone under 18), you can contact their local police department, and internet provider! Paired with the system letting the user know of any unusual log in attempts or successful log ins from unknown devices/IPs, can be really important and save accounts from being hacked, and your monetary accounts from being accessed.

LunarScythe3

+1 would love this since th is pretty much all i use so id be really glad to have the 2 step auth

TheEliBlog

+1 for sure

lonelysaturnadopts

Too old to bump

+1 definitely!

AcneScars

Hey, everyone! Saw this post got some more attention again so I decided I would update the OP.

I can't update the poll, sadly. But it is what it is. (If I can, I don't know how to - so let me know so I can change it!)

As a side note, I also went back and updated all of my previous replies. I didn't actually change their contents/what I said in them, just fixing the grammar/spelling/wording to make it easier for people to read. I also deleted my replies if people deleted their replies, so it's less confusing to read if you didn't see the previous replies. I also updated people's usernames to reflect username changes.

Old post (Feb 2020 - March 2022)

I've looked almost everywhere and I couldn't seem to find any information on it, but - add two step!

There's many ways to add two step. Whether it's through a text message on your phone, an app through your phone or an email sending you the code - Two step is very important to me and it's important to a lot of people.

Toyhou.se is the ONLY website I use that I do not have two step on. And that makes me anxious! There's no harm in adding additional, optional protection to users accounts.

Another security suggestion that I'ma through in here - I would love a way to see login information! (A log of past logins in the 30 days.) - I'm not sure if this is an existing feature, but I couldn't find it.

Counting there isn't a way to prevent users from logining in if they have the password, it would be nice to have a feature where I can notice if someone DID login.

Another thing that's easy to add and isn't too inconvenient - Maybe add a captcha feature for people logining in?

This is only to keep people from using password guessers. Which, from the looks of it isn't an issue but nice just in case for when Toyhou.se leaves Beta.

Toyhou.se isn't exactly known for accounts being up for risk, however, as it currently stands, there's actually no way to protect a user's account. It's just nice to have and I don't see any harm in adding some of these things.

veilune

+1 this site really needs more security